From the GDPR to Brexit and the new AI data privacy legislation currently being discussed, the last few years have been a busy time in the world of European compliance. While the primary concerns for many during Brexit have been the free movement of goods and people, the ability to transfer personal data in and out of the EU is something of paramount importance too, particularly for businesses like HireRight, who rely on these data transfers to operate.
So, what is the potential impact of Brexit on data transfers between the UK and the EU, the importance of the UK’s ruling of adequacy, and the wide-reaching impact of the GDPR on global data privacy legislation?
From a legal perspective, due to the negotiations that have occurred regarding the trade deal itself and provisions within it, as well as the efforts of the UK government and the EU commission to ensure the ruling of adequacy, Brexit will have no practical impact on data transfers.
On 28 June 2021, the UK received its full formal ruling of adequacy, allowing businesses to transfer data from the EU into the UK without having to take any further steps, because the UK is deemed to be a safe place and offer adequate security and technical measures to protect data.
Prior to the trade deal being agreed upon, one thing that was quite interesting was a reluctance of EU entities to engage with or be completely comfortable with the idea that data centres may not be in the EU, especially where they deal with personal data. Part of the reason for that was because of the Schrems II case ruling, which determined that the Privacy Shield in the US was no longer applicable.
The ruling also shed some controversy around the standard contractual clauses, and that an entity really needs to be sure that it is the right method for the data transfer, because with no ruling of adequacy, the method of transfer would have been these standard contractual clauses. There was a certain reluctance because that adequacy ruling would be the best thing, and at one point at the end of 2020 the trade negotiations looked like they might fail and there would be a no deal, which caused some EU entities to be a little cautious.
Fast forward, there’s still a little bit of caution, but ultimately the trade deal required that no EU country engages in any new laws, meaning that EU entities should not engage in activity whereby they make it a requirement that you have on-shore data within the EU, because that would go against the principals of the trade deal, and also the adequacy ruling. The expectation is that any nervousness that would arise from a non-statutory basis, over time will hopefully diminish, and that data will free flow between the EU and the UK based on the adequacy ruling.
When considering what other recent legislation updates have had an impact from a compliance perspective, there have been a few things that have been quite interesting from a case law perspective. There have been a couple of high-profile data breaches in the UK, which have resulted in quite large fines from the Information Commissioner’s Office (ICO).
One of the things that privacy specialists wondered about with the advent of the GDPR and enhanced candidate rights is “would we start to see class actions or ‘ambulance-chasing’ in effect, in relation to data breach claims?”
We’ve started to see adverts both on the television and coming through into our emails of people affected by a particular data breach. Anyone who was a customer of that organisation will have received an email from them or have been invited to get in touch to join the class action and potentially win some damages. So not only is the company exposed to GDPR fines, but also potentially a class action where they might have to pay compensation directly to individuals – and we’re starting to see a little bit of a trend in relation to this.
The second large impact is the Schrems II case. Back in 2015, the Austrian privacy activist Max Schrems challenged Safe Harbour, and ultimately it was demolished, and in its place Privacy Shield was implemented. The Privacy Shield safeguards the transfer of data from the EU, and at the time the UK, into the US and is a certification that you could obtain for your American organisation.
Schrems challenged Privacy Shield as well, and in July 2020 his challenge was upheld, and Privacy Shield was deemed to no longer be an appropriate and adequate protection in respect to data transfers. That meant that any organisation that solely relied on Privacy Shield to provide that protection had to pivot and ensure that other measures were put in place, whether they be binding corporate rules or standard contractual clauses.
There are a couple of regulatory authorities, for example Norway and Germany, that overnight asked organisations within their territory if they did rely on a Privacy Shield certified organisation to store their personal data that they immediately ceased to do so. It was an incredibly impactful ruling.
Now, any organisation that has ring-fenced data, such as HireRight, so that they bifurcate their US data and EU data, and keep their EU data firmly in EU or UK soil, was not impacted by that particular ruling. But save for standard contractual clauses will now quite clearly have much more scrutiny paid to them, and the EU commission has issued updated drafts of those standard contractual clauses, which are designed to make them more robust. It has also introduced processes to processor model clauses, which are available for review and comment that have been long overdue (we’ve been waiting for those since 2010).
The final thing that’s impactful has happened just recently, where the EU Commission has issued its position paper on a new directive to govern the usage of artificial intelligence (AI) and how it interacts with data privacy. This is really interesting in respect to recognition that technology and automation are really driving how data is being processed, and that that in and of itself does carry some risk.
The consultation paper has now opened up, and I urge all organisations that process data and want to utilise technology to have a look at that and to maybe participate in that consultation, for that legislation will also be impactful.
Caroline Smith is VP and deputy general counsel at HireRight